Message boards :
Number crunching :
Do we have a Boinc virus?
Message board moderation
Author | Message |
---|---|
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Something interesting came up on Team Starfire. A Non Seti member had a problem with "setiathome_4.18_windows_intelx86.exe" running in the background and couldn't get rid of it. After doing a lot of searching we found that it was hidden in his system32 folder and the exe was renamed to "wupdmgr1.exe" Someone went to a lot of trouble to hide everything. We found out the user that is getting the credits and his stats are very interesting. http://setiathome.berkeley.edu/team_display.php?teamid=122736 A one user team and ranked 10th in the world. What do you think? edit: had the wrong url posted. >Fred http://www.teamstarfire.org/ |
Shadowcats Send message Joined: 22 Sep 03 Posts: 36 Credit: 173,101 RAC: 0 |
|
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Ummm can't see Try it now. I had the wrong URL posted. http://www.teamstarfire.org/ |
Shadowcats Send message Joined: 22 Sep 03 Posts: 36 Credit: 173,101 RAC: 0 |
|
Prognatus Send message Joined: 6 Jul 99 Posts: 1600 Credit: 391,546 RAC: 0 |
Did he download BOINC from download.com or directly from Berkeley? |
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Did he download BOINC from download.com or directly from Berkeley?He didn't even know what Boinc or Seti was. He just noticed the files were using his CPU time. http://www.teamstarfire.org/ |
Kinguni Send message Joined: 15 Feb 00 Posts: 239 Credit: 9,043,007 RAC: 0 |
Did he download BOINC from download.com or directly from Berkeley? He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service. Join Team Starfire BOINC Chat |
Shadowcats Send message Joined: 22 Sep 03 Posts: 36 Credit: 173,101 RAC: 0 |
|
Misfit Send message Joined: 21 Jun 01 Posts: 21804 Credit: 2,815,091 RAC: 0 |
Interesting process name - wupdmgr.exe According to Boinc Stats he has 13 hosts, and more info. Here are his computers on CPDN. |
Prognatus Send message Joined: 6 Jul 99 Posts: 1600 Credit: 391,546 RAC: 0 |
He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service.Did he get an email from "Microsoft" with a link to "Windows Update"? If so, he probably got a virus. Microsoft doesn't send out emails like that. A friend of mine followed such a link and had to reformat his entire drive to get rid of the virus. |
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Reading the Starfire thread has he actually asked his brother I think he would have recognized the name if it was his brother. He is from Canada and the account is in Germany. http://www.teamstarfire.org/ |
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
|
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Interesting process name - wupdmgr.exe Nice work Misfit! For 13 host that's a nice RAC, 121,566 and today was a bad day. http://www.teamstarfire.org/ |
Paul D. Buck Send message Joined: 19 Jul 00 Posts: 3898 Credit: 1,158,042 RAC: 0 |
Very interesting ... quite an exploit ... :( I wonder if this would be a good canditate for: Total Credit => 0 ... |
MikeSW17 Send message Joined: 3 Apr 99 Posts: 1603 Credit: 2,700,523 RAC: 0 |
The subject of Virii always elicits a very emotional and often panic reaction. Before taking this discussion further, It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit. Whatever the outcome of this issue, BOINC is entirely blameless. |
Paul D. Buck Send message Joined: 19 Jul 00 Posts: 3898 Credit: 1,158,042 RAC: 0 |
The subject of Virii always elicits a very emotional and often panic reaction. Oh, sure... no argument there ... |
Kinguni Send message Joined: 15 Feb 00 Posts: 239 Credit: 9,043,007 RAC: 0 |
It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit. Of course. This was done by more than one user with classic SETI as well. Join Team Starfire BOINC Chat |
Mr.Pernod Send message Joined: 8 Feb 04 Posts: 350 Credit: 1,015,988 RAC: 0 |
Seen the same thing happening with FaH. Some people find it usefull to make programs like FaH or SETI part of selfextracting/installing archives distributed via p2p networks. So it is most like it was just a simple p2p-download (which the 'victim' most likely will not admit too) that installed SETI. |
Crunch3r Send message Joined: 15 Apr 99 Posts: 1546 Credit: 3,438,823 RAC: 0 |
Very interesting ... quite an exploit ... :( I agree with you Paul. Furthermore i would consider deleting the accout as an option. Join BOINC United now! |
Jack Gulley Send message Joined: 4 Mar 03 Posts: 423 Credit: 526,566 RAC: 0 |
If the Berkeley staff are not already all over this one, they should be, before the press is. Computer ID's in that account might allow them to find the IP addresses being used, and maybe track back to some of the system owners. And at least tell us how many different systems are being used and are "infected" this way. It would take at least 100 and maybe 300 systems or more to generate that kind of average credit. The team was setup January 1, 2006 but he had over 5 million credits then. Based on his credit history he has been at this for four months or longer, holds second place in BOINC/Seti rank, and has not been detected? |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.